Danilo Krummrich
2025-Sep-02 19:53 UTC
[PATCH v3 02/11] gpu: nova-core: move GSP boot code out of `Gpu` constructor
On Tue Sep 2, 2025 at 4:31 PM CEST, Alexandre Courbot wrote:> diff --git a/drivers/gpu/nova-core/driver.rs b/drivers/gpu/nova-core/driver.rs > index 274989ea1fb4a5e3e6678a08920ddc76d2809ab2..1062014c0a488e959379f009c2e8029ffaa1e2f8 100644 > --- a/drivers/gpu/nova-core/driver.rs > +++ b/drivers/gpu/nova-core/driver.rs > @@ -6,6 +6,8 @@ > > #[pin_data] > pub(crate) struct NovaCore { > + // Placeholder for the real `Gsp` object once it is built. > + pub(crate) gsp: (), > #[pin] > pub(crate) gpu: Gpu, > _reg: auxiliary::Registration, > @@ -40,8 +42,14 @@ fn probe(pdev: &pci::Device<Core>, _info: &Self::IdInfo) -> Result<Pin<KBox<Self > )?; > > let this = KBox::pin_init( > - try_pin_init!(Self { > + try_pin_init!(&this in Self { > gpu <- Gpu::new(pdev, bar)?, > + gsp <- { > + // SAFETY: `this.gpu` is initialized to a valid value. > + let gpu = unsafe { &(*this.as_ptr()).gpu }; > + > + gpu.start_gsp(pdev)? > + },Please use pin_chain() [1] for this. More in general, unsafe code should be the absolute last resort. If we add new unsafe code I'd love to see a comment justifying why there's no other way than using unsafe code for this, as we agreed in [2]. I did a quick grep on this series and I see 21 occurrences of "unsafe", if I substract the ones for annotations and for FromBytes impls, it's still 9 new ones. :( Do we really need all of them? Otherwise, I really like this, it's a great improvement over initializing everything into the Gpu struct -- thanks for the refactoring! [1] https://rust.docs.kernel.org/kernel/prelude/trait.PinInit.html#method.pin_chain [2] https://docs.kernel.org/gpu/nova/guidelines.html#language
Alexandre Courbot
2025-Sep-03 07:08 UTC
[PATCH v3 02/11] gpu: nova-core: move GSP boot code out of `Gpu` constructor
On Wed Sep 3, 2025 at 4:53 AM JST, Danilo Krummrich wrote:> On Tue Sep 2, 2025 at 4:31 PM CEST, Alexandre Courbot wrote: >> diff --git a/drivers/gpu/nova-core/driver.rs b/drivers/gpu/nova-core/driver.rs >> index 274989ea1fb4a5e3e6678a08920ddc76d2809ab2..1062014c0a488e959379f009c2e8029ffaa1e2f8 100644 >> --- a/drivers/gpu/nova-core/driver.rs >> +++ b/drivers/gpu/nova-core/driver.rs >> @@ -6,6 +6,8 @@ >> >> #[pin_data] >> pub(crate) struct NovaCore { >> + // Placeholder for the real `Gsp` object once it is built. >> + pub(crate) gsp: (), >> #[pin] >> pub(crate) gpu: Gpu, >> _reg: auxiliary::Registration, >> @@ -40,8 +42,14 @@ fn probe(pdev: &pci::Device<Core>, _info: &Self::IdInfo) -> Result<Pin<KBox<Self >> )?; >> >> let this = KBox::pin_init( >> - try_pin_init!(Self { >> + try_pin_init!(&this in Self { >> gpu <- Gpu::new(pdev, bar)?, >> + gsp <- { >> + // SAFETY: `this.gpu` is initialized to a valid value. >> + let gpu = unsafe { &(*this.as_ptr()).gpu }; >> + >> + gpu.start_gsp(pdev)? >> + }, > > Please use pin_chain() [1] for this.Sorry, but I couldn't figure out how I can use pin_chain here (and couldn't find any relevant example in the kernel code either). Can you elaborate a bit?> > More in general, unsafe code should be the absolute last resort. If we add new > unsafe code I'd love to see a comment justifying why there's no other way than > using unsafe code for this, as we agreed in [2]. > > I did a quick grep on this series and I see 21 occurrences of "unsafe", if I > substract the ones for annotations and for FromBytes impls, it's still 9 new > ones. :( > > Do we really need all of them?I've counted 16 uses of `unsafe`. :) - 3 in the bindgen-generated code (these can't be avoided), - 7 to implement `FromBytes`, - 1 to work around the fact that `FromBytes` doesn't work on slices yet (maybe that one can be removed) - 5 as a result of intra-dependencies in PinInit initializers (which we might be able to remove if I figure out how to use `pin_chain`). So best-case scenario would be that we will be down to 10 that are truly unavoidable.